We have many group-admins that need to be able to check on their deployment clients, but I don't want to give them write access to the DS. I could give them all access to _internal and parse out phoneHome connections from there, trying my best to duplicate the DS interface. But is there a better way? I tried limiting their capabilities in a new role on the DS, but without admin, the Forwarder Management app isn't accessible.
Thanks,
Jon
Not pretty, but it's doing what I need: Provide hostname, IP, Last Phone Home time, phone home interval and (bonus) last time data was seen, if you have access to the indexes where data was written. It requires that you run it locally on the DS, or have the DS listed a search peer on the server you are searching on.
| rest splunk_server=deploymentserver /services/deployment/server/clients |
fields hostname ip *Phone* |
eval "Last Phone Home, Minutes Ago"=round((now()-lastPhoneHomeTime)/60,2) |
fields - lastPhoneHomeTime |
eval hostname=lower(hostname) |
join type=outer hostname [ |
metadata type=hosts index=*|
eval "Last Data, Hours Ago"=round((now()-lastTime)/60/60,2) |
table host, "Last Data, Hours Ago" |
rex field=host "(?<hostname>[^\.]+)" |
fields - host |
eval hostname=lower(hostname) ] |
where isnotnull(ip) |
fillnull value="no data, or index not available"
Looks like every view of deployment clients requires List_deployment_server AND edit_deployment_server
Only way around would be a hack. You could go here:
$SPLUNK_HOME\etc\apps\search\default\data\ui\manager\
and edit deployment.xml, then remove AND edit_deployment_server from the following line
<read>list_deployment_server AND edit_deployment_server</read>
Save and restart ... After that folks with list_deployment_server should be able to see that view, but couldnt make edits. At least I believe that would work. It would be an unsupported hack for sure, and would change every time you upgrade/reinstall.
Another option is to give them read only access to this endpoint somehow, via scripting, etc.
localhost:8089/services/deployment//server/clients
Thanks for the hackerific solution. That might work for me (assuming it works at all :-). I've been toying with the REST endpoint. With 3000 clients it returns a metric ton of information. Will need to figure out how to present something similar to the DSM page from there.